KM-US-13 0 



EL 269 994 616 US Gijzu-//Di 

CRYPTOGRAPH I C COMMUNICATION METHOD AN D ENCRYPTION METHOD 
AND CRYPTOGRAPH I C COMMUNICATION SYSTEM 



BACKGROUND OF THK INVENTION 

Field of the Invention 

' The present invention relates to a highly secure crypto- 
graphic communication method and system, which encrypts and 
communicates information so that the content of the information 
is not understood by anyone other than the parties concerned. 

Description of the Related Art 

In today's so-called advanced information society, important 
business documents and image data are transmitted/ communicated 
and processed in the form of electronic data over computer 
networks. Electronic data can be readily reproduced, and' it is 
impossible to distinguish the reproduction from the original, 
thus placing great importance on the issue of data protection or 
data security. The realization of computer networks, which 
satisfy 3 requisites, i.e., "computer resource sharing," 

"multiple access," and "wide area networking," are essential to 
the establishment of an advanced information society, but such 
networks incorporate elements that are inconsistent with the 
issue of data protection between concerned parties. As an 



effective technique for eliminating inconsistencies, attention is 
focusing on cryptography techniques, which historically have been 
utilized principally in the military and diplomatic fields. 

Cryptography is conversion of information in such a way 
that the meaning of that information cannot be understood by 
anyone other than the concerned parties. The conversion of an 
original text (plaintext), which is capable of being understood 
by anyone, to a text, the meaning of which is not understood by a 
third party ( c iphertext ) , is encryption, the changing of 
ciphertext back into plaintext is decryption, and the overall 
process of this encryption and decryption is called a crypto- 
graphic system. In the encryption process and decryption 
process, secret data, called, respectively, an encryption key and 
a decryption key, are utilized. Since a secret decryption key is 
required for decryption, only a person, who knows this decryption 
key, can decrypt a ciphertext, enabling the confidentiality of 
information to be maintained. 

An encryption key and decryption key can be alike or 
different. A cryptographic system, in which both keys are alike, 
is called a common key cryptographic system, and the DES (Data 
Encryption Standard) adopted by the National Bureau of Standards 
(now the National Institute of Standards and Technology) of the 
United States Department of Commerce is a typical example 
thereof. As an example of a cryptographic system, in which both 
keys differ, a cryptographic system called a public key crypto- 
graphic system has been proposed. This public key cryptographic 
system is a cryptographic system, wherein one pair each of an 
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encryption key and. a decryption key are prepared for each user 
(entity) utilizing the cryptographic system, the encryption key 
is made public via a public key list, and only the decryption key 
is kept secret. In a public key cryptographic system, the 
encryption key and decryption key, which constitute this pair, 
are different, and the decryption key cannot be deduced from the 
encryption key by using a one-way function. 

A public key cryptographic system is an innovative crypto- 
graphic system because it makes the encryption key public. It 
is also compatible with the above-mentioned 3 requisites needed 
to establish an advanced information society. In order to utilize 
the public key cryptographic system in the field of data communi- 
cations technology, research is being actively carried out, and 
the RSA cryptographic system has been proposed as a typical 
public key cryptographic system. This RSA cryptographic system 
was achieved by a one-way function which makes use of the 
difficulty of prime factor analysis. Further, various techniques 
have also been proposed for public key cryptographic systems, 
which make use of the difficulty associated with solving a 
discrete logarithm problem (discrete logarithm problem). 

Further, a cryptographic system, which makes use of ID 
(identity) data specific to an individual, i.e. the name, address 
and the like of each entity, has also been proposed. In this 
cryptographic system, a common encryption key is generated 
between sending and receiving parties on the basis of ID data. 
Further, this ID based cryptographic technique comprises (1) a 
system, wherein a preliminary communication between the sending 
and receiving parties is required in advance of ciphertext 



communications, and (2) a system, wherein a preliminary 
communication between the sending and receiving parties is not 
required in advance of ciphertext communications. It is believed 
that technique (2) in particular, which does not require a 
preliminary communication, and is thus very convenient for an 
entity, will constitute a mainstay of cryptographic systems of 
the future. 

A cryptographic system in accordance with this (2) technique 
is called ID-NIKS (ID-based non-interactive key sharing scheme), 
and it adopts a system, wherein the communicating parties share 
an ID based encryption key and does not perform a preliminary 
communication. ID-NIKS is a system, wherein sending and receiv- 
ing parties need not exchange a public-key and secret key, and a 
key list and third-party service are not required, enabling 
secure communications to be carried out between the entities. 

Fig. 13 of the accompanying drawings illustrates the 
principle behind this ID-NIKS system. It assumes the existence 
of a trusted center, and constitutes a shared key generation 
system having such a center as its core. In Fig. 13, the name, 
address, telephone number and other ID data of entity X is 
expressed as h (ID X ) using a hash function h (-)• The center, 
based on center public information {PC^}, center secret 
information {SCj}, and entity X ID data h (ID X ), computes the 
following secret information S Xi for an arbitrary entity X, and 
distributes it secretly to the entity X. 



S Xi = F i (t SC i>> { pC i>> h < ID X }) 
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Entity X, using the secret information of entity X itself 
{S xi }, center public information {PC i >, and called-party entity Y 
ID data h (IDy), generates a shared key K xy for encryption and 
decryption as follows. 



^XY 



= f ({S Xi }, {PCj}, h ( IDy) ) 



Further, entity Y also generates a shared key K yx for 
communication with entity X in the same manner. If there is a 
relationship K xy = K yx always, these keys K XY , K yx can be used 
as encryption and decryption keys between entities X and Y. 

In the above-described public key cryptographic system, in 
the case of an RSA cryptographic system, for example, the length 
of the public key thereof is 11-19 times longer than- a. current 
telephone number, and is extremely troublesome to handle. 
Contrary thereto, in an ID-NIKS, if each ID data is recorded in 
roster format, shared keys between arbitrary entities, can be 



generated by referencing this ro 



ster. Therefore, if an ID-NIKS 



system like that i 1 lustrated . in Fig. 13 is securely established, 
a handy cryptographic system can be constructed on a computer 
network subscribed to by a number of entities. For this reason, 
ID-NIKS is expected to form the core of cryptographic systems in 
the future. 

Adequate security against collusion by a plurality of 
entities and other such attacks is desirable in an ID-NIKS, 
wherein a shared key, which constitutes an encryption key and a 
decryption key, is shared in common using the ID data of 
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the communicating parties without carrying out a preliminary 
communication. However, an ID-NIKS comprises a problem in that 
attack methods were studied, and if an adequate number of 
entities collude, the secret parameters of the center will be 
disclosed. The ability to construct a cryptographical ly secure 
ID-NIKS is an important issue for the advanced information 
society, and research is being pushed forward on a more ideal 
cryptographic approach. 

Under circumstances such as these, the inventors have 
proposed an ID-NIKS cryptographic method, which is based on 
secure and simple ID data, does not require a preliminary 
communication, and is resistant to collusion attacks (Japanese 
Patent Application Laid-Open Publication No. 10-210022/1998). 
This method is characterized in that it has the below-described 
key-sharing function as a non-separable function, and the basis 
of the security thereof lies in this characteristic and the 
difficulty of a discrete logarithm problem. 

However, in this ID-NIKS cryptographic method, a special 
prime number must be utilized (a prime number P, which , is 
specified as P = 2pq + 1 (p, q : large prime numbers)). It has 
been proven, from a practical standpoint, that this prime number 
exists in sufficient quantity, but, undeniably, it leaves little 
freedom in the design of the cryptographic system. Further, the 
key sharing process must adhere to a 2-stage computing step, and 
there might be an effective attack method that can be applied 
during the computing steps, making it vulnerable to attack. These 
kinds of problems exist with this cryptographic system, leaving 
room for improvement. 
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SUMMARY OF THE IN VENTION 



An object of the present invention is to provide a novel 
high-security ID-NIKS-based cryptographic communication method 
and cryptographic communication system, wherein center secret 
parameters are not disclosed, and ciphertext can not be decrypted 
even if entities collude with one another. 

Another object of the present invention is to provide a 
cryptographic communication method and a cryptographic 
communication system, which are capable of solving the problems 
in the system of prior application Japanese Patent Application 
Laid-open Publication No. 10-210022/1998, heightening design 
freedom, and further enhancing security. 

According to a 1st aspect of the present invention, there is 
provided a cryptographic communication method for communication 
of information between two entities, wherein an entity-specific 
secret key is sent to each entity from a center, one entity uses 
this entity-specific secret key and a public key of the other 
entity, encrypts a plaintext into a ciphertext, and transmits it 
to the other entity, and the other entity then decrypts the 
ciphertext into the original plaintext by using the entity- 
specific secret key sent from the center and a public key of the 
above-mentioned one entity, the method being characterized in 
that cryptographic information is communicated between the two 
entities using, an each entity-specific first key, which is made 
public as the above-mentioned public key; an each entity-specific 
secret second key, which is related to the above-mentioned secret 
key, and which can be determined from the center via a first 
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function using the first key of each entity; and a third key, 
which is expressed as a second function having 2 variables 
(i.e., the one entity's second key and the other entity's first 
key), and which is shared by both entities, who make use of it 
when encrypting a plaintext into a ciphertext, and when decrypt- 
ing a ciphertext into a plaintext, and further characterized in 
that the first function, which has as parameters an each 
entity-specific random number controlled or administered by the 
center, and a third function, which can be obtained by substitut- 
ing the first function for the second function, and which has the 
one entity's and the other entity's first keys as variables, 
are set in the below-defined non-separable function for each 
respective variable. 

Definition: When a suitable commutative operation is treated 
as 0, and function f (•) satisfies f (x + y) f f (x) O f (y), 
function f (•) is characterized as being non-separable in accord- 
ance with the operation O. 

The second key may comprise a first secret key, which is 
generated from an each entity-specific first key and a symmetric 
matrix controlled by the center; a second secret key, which is 
generated by multiplying a random number by the first secret key; 
and a third secret key, which is generated on the basis of a 
random number. Further, the center may send the second and 
third secret keys to each entity. One entity may then generate 
a third key using the second and third secret keys and the first 
key of the other entity. 

The following expression may be used as the arithmetic 



expression when the center generates the first, second and third 
secret keys. 

5? = T^ (mod L) 
~at = n • (mod L) 
yi s g r& (mod N) 

Provided that 

Vector v i : First key of entity i 
Vector x ± : First secret key of entity i 
Vector s i : Second secret key of entity i 
y^ Third secret key of entity i 
r i : Random number of entity i 
L: L = X (N) 

N: N = PQ (P, Q are prime numbers) 

T: Symmetric matrix (Each component is relatively prime 

to L) 

g: Maximum generator over N as a modulus 

e: an integer that is relatively prime to L 

A ("): Carmichael function 

The following expression may be used as the arithmetic 
expression when the one entity generates the third key based on 
the second and third secret keys and the first key of the other 
entity. 




The each entity-specific first key may be determined by 
calculating identification information of each entity using a 
hash function. 

According to a 2nd aspect of the present invention, there is 
provided an encryption method, wherein an each entity-specific 
secret key is sent to each entity from a center, and an entity 
uses this entity-specific secret key sent from the center to 
encrypt a plaintext into a ciphertext, this encryption method 
being characterized in that a plaintext is encrypted into a 
ciphertext using an each entity-specific first key, which has 
been made public; an each entity-specific secret second key, 
which is determined in the center in accordance with the first 
key using a first function; and a third key, which is expressed 
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by a second function having 2 variables (the second key of the 
encrypting entity itself and the first key of the other entity, 
who is the recipient of the ciphertext) , and further character- 
ized in that a first function, which has as parameters an each 
entity-specific random number controlled by the center, and a 
third function, which can be obtained by substituting the first 
function for the second function, and which has the one entity's 
and the other entity's first keys as variables, are set in the 
below-defined non-separable function for each respective 
variable . 

Definition: When a suitable commutative operation is treated 
as 0, and function f (■) satisfies f (x + y) £ f (x) 0 f (y) , 
function f (•) is characterized as being non-separable in accord- 
ance with the operation O. 

According to a 3rd aspect of the present invention, there is 
provided a cryptographic communication system, which comprises a 
plurality of entities, which reciprocally perform processing for 
encrypting a plaintext (or information) into a ciphertext and 
transmitting it to another entity, and processing for decrypting 
a transmitted ciphertext into an original plaintext; 'and a 
center, which sends an each entity-specific secret key to each 
entity, this cryptographic communication system being character- 
ized in that the center determines each entity-specific secret 
second keys in accordance with a first function from an each 
entity-specific first key that has been made public, and the 
plurality of entities determine a third key, which is expressed 
by a second function having 2 variables of the one entity's 
second key and the other entity's first key, and which is used 
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when encrypting a plaintext into a ciphertext, and when 
decrypting a ciphertext into a plaintext, and further character- 
ized, in that a first function, which has as parameters an each 
entity-specific random number controlled by the center, and a 
third function, which can be obtained by substituting the first 
function for the second function, and which has the one entity's 
and the other entity's first keys as variables, are set in 
the below-defined non-separable function for each respective 
variable. 

Definition: When a suitable commutative operation is treated 
as O, and function f (■) satisfies f (x + y) ? f (x) 0 f (y) , 
function f (■) is characterized as being non-separable in 
accordance with the operation 0. 

The second key may comprise a first secret key, a second 
secret key, and a third secret key. Further, the center may 
include means for calculating the first secret key from each 
entity-specific first key and a symmetric matrix controlled by 
the center; means for calculating the second secret key by 
multiplying the first secret key by a random number; and means 
for calculating the third secret key on the basis of the 'above- 
mentioned random number, and may send the calculated second and 
third secret keys to each entity. 

Each of the entities may include means for calculating the 
third key from the second and third secret keys sent from the 
center, and the first key of the other entity (i.e., communicat- 
ing party) . 

The concept of the ID-NIKS of the cryptographic communica- 
tion method of the present invention is described hereinbelow. 
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First, separability in a function is defined as follows by 
generalizing the concept of linearity. When a suitable 
commutative operation is treated as O, and function f (*) 
satisfies the following relational expression, this function f 
(■) is defined as being separable in accordance with the 
operation 0. 

f (x + y) = f (x) 0 f (y) 

For example, f (x) = ax and f (x) = a x are separable as 
shown below. 

f (x + y) = a (x + y) = ax + ay = f (x) + f (y) 
f (x + y) = a x + y = a x • a^ = f (x) • f (y) 

The definition of the power computation of a matrix is as 
shown below. Provided that each matrix A, B, C is treated as a 
matrix of m x 1 , 1 x n, m x n, respectively. 

Define the matrix right power computation C = A B as 

c V = XL aa,bhi ( i= l>2,...,m, i=l,2,...,n) 
jt=i 

Define the matrix left power computation C = A B as 
t 

Ci } = Ij6fci 0;fc (»= 1,2,. j= 1,2,. ...ti) 



Further, an operation *, which finds the product for each 
component of a matrix, is defined as shown below. Provided that 
each matrix A, B, C is treated as an m x n matrix. 
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Define the component products of matrix C = 



A * B as 




(i = 1, 2, 



3 



= 1, 2, 



n) . 



In accordance with the above definitions, the following 
properties are achieved. Provided that t signifies the matrix, 
transposition. 



Next, conditions for achieving ID-NIKS , and conditions for a 
secure ID-NIKS are considered. Provided that i, j, y and z 



("first key" in the claims), which is an ID hash value in most 
cases, s i is treated as a secret key of entity i ("second key"), 
and K^j is treated as an entity i-determined key shared with 
entity j ("third key"). 

The following 3 conditions are required for achieving ID- 
NIKS. 

Condition 1 (Secret Key Condition): 

A center can determine a secret key Sj from a corresponding 
public key v ± of entity i using a secret-key function f (■) 
("first function"). 





4. (A*B) C = A C *B C 

5. A( B + C ) = A B *A C 



represent entities, is treated 



the public key of entity 



Bj. = f (Vi) 



Condition 2 (Key Generation Condition) : 
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A shared key K^j can be determined from the secret key of 
entity i and the public key v- of entity j using a key- 
generation function g (■) ("second function"). 

K ij = 8 ( s i> v j> 
Condition 3 (Key Sha ring Condition);, 

The shared key j , which entity i generates for entity j, 
and the shared key K • , which entity j generates for entity i, 
are alike. 

K ij = K ji 

Therefore, a key-sharing function F (•) ("third function"), which 
can be produced by substituting the secret-key function f (■) for 
the key-generation function f ('), and which has public keys , 
Vj as variables, is a symmetric function. 

F ( Vi> Vj ) = F (vj. v £ ) 

provided that 

F (v £> v.) = g (f ( Vi ). Vj ) - g {fli , v.) 

Further, to construct an ID-NIKS that is secure against a 
collusion attack by a plurality of entities, the following 
conditions 4-6 should be satisfied. 

Condition 4 (Secret Key Security Against Collusion) : 

The secret-key function f (•) is a non-separable function 
as shown below. 
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f <x + y) f f (x) 0 f (y) 



When the secret-key function f (') is a separable function, 
the secret key s z of another entity z can be revealed and 
generated by a collusion attack using the secret keys s i , Sj of 
2 entities i, j. For example, if v % = v i + and secret keys 

s i; Sj are prepared in advance, it is possible to determine the 
secret key s z of entity z as follows. 

* z = ' (v E ) 

= f ( Vi + Y S ) 

= f ( Vi ) O f {v.) 
= S i 0 S 3 

Condition 5 (Shared Key Security Against Collusion): 

The key-sharing function F(-)> as shown below, is a non- 
separable function. 

F Ca, x + y) £ F (a, x) O F (a, y) 

In accordance with Condition 3, since the key-sharing 
function F(-) is a symmetric function, the following expression 
is also realized. 

F (x + y, a) f F (x, a) O F (y, a) 

When the key-sharing function F(-) is a separable function, 
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the shared key may be generated by a collusion attack of 
entities using a shared key. When entities i, j collude with one 
another, v z = v i + v j ' and K iy < = g ^ s i' v y^ = F ^ v i' v y^ and 

K jy c= g (s j' V = F K iy (= g {s i' V = F {v i' v y })) are 

prepared beforehand, it is possible to determine the shared key 
K yz between entities y, z as follows. 

K yz = F (v y> v z ) 

= F (v yJ Vi + Vj ) 

= F < v y v 0 0 F Cv y V 

= F (v i; v y ) OF ( Vj , v y ) 
= K iy O K jy 

Condition 5 is extremely strict. Regardless of the 
intermediary calculation, just the fact that the function format 
in the key sharing stage is separable does not mean that security 
is perfect. For example, a sum of products-type ID-NIKS, or a 
power product-type ID-NIKS do not satisfy this condition. 
Condition 6 (Security of Center Secrets) : 

Center secrets cannot be determined no matter what type of 
attack is perpetrated. 

In the present invention, in addition to establishing a 
third function (key-sharing function) as a non-separable function 
similar to the prior invention (Condition 5), a first function is 
established as a non-separable function by treating each entity- 
specific secret random number as a parameter, and incorporating 
it into the function (Condition 4) . In the present invention, 
the basis of security is placed on the characteristic of a non- 
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separable function, and on a difficulty of attack equivalent to 
RSA cryptography. Further, there is no need to prepare a special 
prime number in advance, thus heightening freedom of design, and 
the calculation step for determining a third key (shared key), 
which both entities share, is completed in one stage, enhancing 
security and increasing resistance to attack. 



BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a schematic diagram showing the constitution of a 
cryptographic communication system of the present invention; 

Fig. 2 schematically illustrates the state of data 
communications between 2 entities; 

Fig. 3 shows the internal constitution of the shared key 
generator of Fig. 2; 

Fig. 4 is a diagram illustrating the security of secrets at 
a center when a personal random number is not provided; 

Fig. 5 illustrates the security of secrets at a center when 
a personal random number is provided; 

Fig. 6 illustrates a numerical example, which represents 
the security of the present invention; 

Figs. 7A, 7B, 7C, 8A and 8B illustrate in combination a 
first numerical example according to the present invention; 

Figs. 9A, 9B, 9C, 10, 11 and 12 are diagrams showing in 
combination a second numerical example of the present invention; 
and 

Fig. 13 is a block diagram of the principle of an ID-NIKS 



system. 



DETAILE D DESCRIPTION OF THE INVENTION 



Referring to Fig. 1, illustrated is a schematic diagram 
showing the constitution of a cryptographic communication system 
according to the present invention. A center 1, which can be 
trusted to maintain the confidentiality of information, is 
established. This center 1 may be a public institution. This 
center 1 is connected to each of a plurality of entities a, 
h, . .., z, the users, who utilize this cryptographic system, via 
secret communication channels 2a, 2b, 2z, and secret key 

data is transmitted to each entity a, b, z from the center 1 

via these secret communication channels 2a, 2b, 2z. 
Further, communication channels 3ab, 3az, 3bz, ... are provided 
between 2 entities, and a ciphertext, which is encrypted communi- 
cation information, is transmitted between the entities via this 
communication channel 3ab, 3az, 3bz , .... 

The configuration for implementing the ID-NIKS of the 
present Invention is described hereinbelow. First, the crypto- 
graphic system of the present invention is described with respect 
to "Center 1 Preparations", "Entity Registration", and 
"Generation of Shared Key Between Entities" in turn. 
Center 1 Preparations 

The center 1 prepares the following public keys and secret 
keys, and reveals the public keys. 
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Public Key N N = PQ 

e Relatively small integer relatively 

prime to L 
Secret Key P, Q Large primes 

L L = A (N) 

g Maximum generator over N as a 

modulus 

T n x n symmetric matrix (Each 

component is relatively prime to 
L) ' 

r^ Personal secret random number 
Provided that A. ( • ) is the Carmlchael function. The hash 

function h (•) for calculating an n dimension public key vector v 
("first key") from entity ID data is made public at the same 
time. A hash function is a function, which converts a data 
string to a different data string, and generally is a function, 
which converts a long data string to a short data string. When 
this hash function is used to calculate a public key vector v, 
the sum of all the components is regulated to become e. That 
is, the expression hereinbelow is realized. Provided that v ik 
indicates the kth component of vector Vj. More specifically, 
when a public key vector v is a binary vector, the Schalkwijk 
algorithm can be utilized, and in general, (n-1) components are 
determined by the hash value, and the final 1 component is 
determined so that the sum of the total is e. 
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Entity Registration 

The key management center 1, which is requested by entity i 
to perform registration, carries out the following calculation 
using a prepared key and a public key vector v i (=h (ID^.) of 
entity i, determines, in order, entity i vector x i ("first 
secret key"), vector s i ("second secret key"), and yi ("third 
secret key"), and completes registration by secretly sending the 
determined vector Si and y A to entity i. Vector x^ which is a 
personal secret, is not sent directly to entity i at this time. 

1. Determine ^ 

5? = T^ (mod L) 

2. Select a random number r i that is relatively prime to L, 
and determine a* 

if = n - xt (mod L) 

3. Determine r i ~ e (mod L) , and determine y i . 

yi = g r * 6 (mod N) 

Equation 8 



Generation of Inter-entity Sh ared Key 

In order for entity i to share a key with entity j, a shared 
key ("third key") is determined by repeating e times high- 

speed exponentiation like the following. 

Kii S r(r(r(yr i )")' 43 )")' i ") *)"" 
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= g V% T J (mod N) 



Equation 9 



The communication of information between entities in the 
above-described cryptographic system is described next. Fig. 2 
schematically shows data communications between 2 entities a, b. 
The example of Fig. 2 depicts a situation, in which entity a 
encrypts a plaintext (message) M into a ciphertext C, and 
transmits it to entity b, and entity b decrypts this ciphertext C 
into the original plaintext (message) M. 

The entity a side comprises a public key generator 11, which 
produces a vector v b (public key) by inputting entity b personal 
identification data ID b , and using a hash function; a shared key 
generator 12, which generates a shared key K ab for between 
entities a and b that is sought by entity a on the basis of 
secret vectors s a and y a sent from the key managing center or KMC 
1, and vector v fo , which is the public key from the public key 
generator 11; and an encryption unit 13, which uses the shared 
key K ab to encrypt a plaintext (message) M into a ciphertext C 
and outputs it to a communication channel 30. 

The entity b side comprises a public key generator 21, which 
produces a vector v a (public key) by inputting entity a personal 



identification data ID a , and using a hash function; a shared key 
generator 22, which generates a shared key K ba for communication 
with entity a that is sought by entity b on the basis of secret 
vectors s b and y b sent from the center 1, and vector v a , which is 
the public key from the public key generator 21; and a decryption 
unit 23, which uses the shared key K ba to decrypt a ciphertext C 
inputted from a communication channel 30 into a plaintext 
(message) M and outputs it. 

Fig. 3 is a diagram showing the internal constitution of the 
shared key generator 12 (22) of Fig. 2. The shared key generator 
12 (22) has a first register 41, which stores vector s sent from 
the center 1; a second register 42, which stores each component 
of vector s; a third register 43, which stores y sent from the 
center 1; a fourth register 44, which stores vector v sent from 
the public key generator 11 (21); a fifth register 45, which 
stores each component of vector v; a sixth register 46, which 
stores a natural number N; and a highspeed exponent computing 
element 47, which uses the outputs of the second, third, fifth 
and sixth registers 42, 43, 45, 46 to perform the exponentiation 
shown in Equation 9. 

The operation is described next. When entity a attempts to 
send information to entity b, first of all, the personal 
identification data ID b of entity b is inputted to the public key 
generator 11, vector v fe (public key) is produced, and the 
produced vector v fe is sent to the shared key generator 12. 
Further, vectors s a and y & , which are determined by the center 1 
in accordance with Equation 8, are inputted to the shared key 
generator 12. A shared key K ab is determined in accordance with 



Equation 9 by the shared key generator 12 of Fig. 3, and sent to 
the encryption unit 13. In the encryption unit 13, a plaintext 
(message) M is encrypted into a ciphertext C using this shared 
key K ab , and the ciphertext C is transmitted via the communica- 
tion channel 30. 

The ciphertext C transmitted over the communication channel 
30 is inputted to the decryption unit 23 of entity b. The 
personal identification data ID a of entity a is inputted to the 
public key generator 21 f; vector v a (public key) is produced, and 
the produced vector v a is sent to the shared key generator 22. 
Further, the vectors x b and y b , which are determined by the 
center 1 in accordance with Equation 8, are inputted to the 
shared key generator 22. A shared key K ba is determined in 
accordance with Equation 9 by the shared key generator 22 of 
Fig. 3, and sent to the decryption unit 23. In the decryption 
unit 23, the ciphertext C is decrypted into a plaintext (message) 
M using this shared key K ba - 

Next, verification is made of the fact that this crypto- 
graphic system of the present invention satisfies the above- 
described ID-NIKS achievability (Conditions 1-3) and ID-NIKS 
security (Conditions 4-6). 
Fnr Condition 1 

The secret-key function f (•) is defined as shown below 
having a personal secret random number r i as a parameter, and 
using this secret-key function f (•), the center 1 can 
determine a corresponding secret key from the public key of an 
entity. 
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f r .(v?) = riT Vi (modi) 



(For Condition 2) 

The key-generation function g (-) is defined as shown below, 
and a shared key can be generated from the secret key of one 
entity and the public key of another entity. 

G({yi, I?) = Vi Si (mod N) 

For Condition 3 

The key-sharing function F (■) is defined by the following 
expression, and since a center secret matrix T is a symmetric 
matrix, F (•) is a symmetric function as shown in the following 
expression, and shared keys generated by reciprocal entities are 
ident ical . 



vt, 1$) = g Vi T " J ' {mod N) 



= 9 



For Condition 4 

The secret-key function f (")» as shown below, constitutes 
a separable function when parameter r is fixed, but since the 
value of this parameter r is different for each entity in the 
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cryptographic system of the present invention, the secret-key 
function f (•) is a non-separable function. 



For example, when vector v x = vector v i + vector Vj , then 
vector x x = vector x i * vector x j , but because vector x j _ itself 
is not distributed to an entity, and vector s i , which multiplies 
a personal random number r i thereby, is distributed, vector s x 5 
vector s A * vector a. is not realized, and neither vector s x nor 
vector x x , which are personal secrets, can be determined. 
For Condition 5 

Because the key-sharing function F (■) is a non- 
separable function, as shown in the following expression, no 
matter how many public keys and secret keys are gathered in 
accordance with the collusion of a plurality of entities, the 
keys shared between any other entities cannot be determined. 



= 9 



For Condition 6 
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Center secrets (P, Q, L, g, r i , and T) are hot revealed even 
when a plurality of entities collude with one another. The bases 
for center secrets P, Q, L, g, and r ± not being revealed are as 
follows . 

P, Q, L: Difficulty of factorization of N 
g: Security in accordance with r.^ being unknown 
■ r .: Difficulty of a discrete logarithm problem over a 
composite number as a modulus 

Next, the security of the center secret matrix T is 
considered. Here, the security of the center secret matrix T is 
considered with regard to an attack, in which colluding entities 
attempt to solve a high-order linear congruence expression by 
pooling their individual private keys. 

In the cryptographic system of the present invention, an 
attack must be performed considering that the personal random 
number is also a center secret variable, in addition to the n (n 
+ l)/2 center secret variables of the center secret matrix T. 
For example, when m entities are in collusion, the number of the 
center secret variables is {n (n + l)/2 + m> . As a result 
thereof, even if an arbitrary number of entities collude with one 
another, it is impossible to generate the center secret matrix T. 
The reason this is impossible is described hereinbelow for each 
possible number of colluding entities. 
When less than n entities are in collusion 

Because the number of center secret variables exceeds the 
number of linearly-independent expressions obtained in accordance 
with collusion, the center secret matrix T cannot be generated. 
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When n entities are in collusion 

When n entities are in collusion, a maximum of {n (n + l)/2 
+ (n - 1)} linearly-independent expressions can be obtained. In 
the meantime, since there are {n (n + l)/2 + n} center secret 
variables, the number of linearly-independent expressions is 1 
fewer than the number of center secret variables, making it 
impossible to generate/break the center secret matrix T. 
When fn + 1) entities are in collusion 

Compared to when n entities are colluding, 1 personal secret 
random number is newly added, but other n items are linearly 
subordinate so that only 1 new linearly-independent expression 
can be obtained. Thus, there is an increase of only 1 linearly- 
independent expression when the center secret variables are 
increased by 1. Accordingly, if the center secret matrix T 
cannot be solved when n entities collude, it cannot be solved 
when (n + 1) entities collude, either. 

From the above, even if (n + 2) or more entities collude 
with one another, since the number of congruence expressions 
will, inductively, always be 1 or more fewer than the number of 
unknown variables, the indeterminateness of the solution cannot 
be removed. Further, the above-described simultaneous congruence 
expression is generally a high-order simultaneous congruence 
expression so that the solution is difficult. Furthermore, 
ultimately, an operation, which multiplies an inverse element 
that has L as a modulus, is absolutely necessary. For an 
attacker, who does not know modulus L, this is tantamount to 
breaking RSA cryptography. 

Further, let's assume, hypothetical ly , that, without solving 
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for the equation, it is possible to eliminate one variable by 
using the fact that the number of congruence expressions is one 
fewer than the number of unknown variables. In this case, a 
linear attack can be utilized, but because the vector v x of the 
target entity is a fixed-weight vector, a negative coefficient is 
absolutely necessary to express it using a linear association of 
other entities (or another entity), so that, in this case 
as well, for an attacker, who does not know modulus L, it is 
equivalent to breaking RSA cryptography. 

As described above, the center secret matrix T can be said 
to be secure against a collusion attack in the cryptographic 
system of the present invention. 

Specific examples of the security of the center secret 
matrix T are described hereinbelow when a personal random number 
is provided, and when a personal random number is not provided. 
Fig. 4 depicts a situation, in which a personal random number is 
not provided, and 5 entities are in collusion. As illustrated in 
Fig. 4, since a 5 x 5 matrix T is a symmetric matrix, the unknown 
quantity of components is 15. Further, as illustrated in the 
drawing, the number of linearly-independent expressions is 5 + 4 
+3+2+1= 15. Accordingly, the number of unknown quantities 
and the number of linearly-independent expressions match so that 
the equation can be solved, and the center secret matrix T can be 
determined . 

Conversely, Fig. 5 depicts a situation, in which a personal 
random number is provided, and 5 entities collude with one 
another. Because the personal random number is also a center 1 
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secret, the unknown quantity is 15 components derived from the 
matrix T and 5 components derived from the random numbers for a 
total of 20. Further, as illustrated in Fig. 5, the number of 
linearly-independent expressions is 5+5+4+3+2= 19. 
Accordingly, the number of unknown quantities is larger than the 
number of linearly-independent expressions so that a solution is 
not possible, and center 1 secrets cannot be determined. Fig. 6 
shows the equation in the case thereof. 

Next, numerical examples of the cryptographic communication 
method of the present invention are described. A first numerical 
example (when the public key vector v components are binary, and 
2 entities i, j share keys) is illustrated in Figs. 7A, 7B, 7C, 
8A and 8B . First, as shown in Fig. 7A, public keys (N, e) and 
secret keys (P, Q, L, g, T, r^ r j ) are set in the center 1. 
Further, binary public key vectors v if Vj are calculated based on 
the ID of each entity i, j , and arranged as shown in Fig. 7B . 
When the r t ~ e > rj~ e of each entity i, j is determined based on 
the above setting conditions, the results are like those 
illustrated in Fig. 7C. Furthermore, when vectors s i( y L , and 
shared key K £j of entity i are determined, the results are as 
depicted in Fig. 8A, and similarly, when vectors s- , y^, and 
shared key K j L of entity j are determined, the results are as 
depicted in Fig. 8B. 

Figs. 9A-Fig. 12 depict a second numerical example (when the 
public key vector v components are multiple notation values (e.g. 
ternary or decimal), and 3 entities i, j, k share keys). First, 
as illustrated in Fig. 9A, public keys ( N , e) and secret keys (P, 
Q, L,'g, T, r^ rj , r k ) are set in the center 1. Further, multi- 



notation public key vectors v i; Vj , v k are calculated based on 
the ID of each entity i, j, k, and set as shown in Fig. 9B - When 
the ri " e , rf e , r k ~ e , and vectors s i? s- , s k , and y^ yj , y k of 
each entity i, j, k are determined based on the above setting 
conditions. The results are illustrated in Fig. 9C. Then, the 
shared key = K j L between entities i, j, the shared key K ik = 

K kl between entities i, k, and the shared key K jk = K fcj between 
entities j, k, respectively, are determined as illustrated in 
Figs. 10, 11, and 12. 

As understood from the foregoing, since the above-described 
3 conditions for achieving ID-NIKS , and the 3 conditions for 
ensuring the security thereof are both satisfied in the present 
invention, center secret parameters are not revealed, and a 
ciphertext cannot be decrypted, no matter how many entities 
collude. The present invention therefore achieves extremely high 
security in ID-NIKS. 

Further, there is no need to prepare a special pattern of 
prime numbers in advance unlike the prior invention (JP A-10- 
210022), thus enhancing the freedom of design, and the key 
sharing procedure can be accomplished in a one-stage calculation 
step, thus improving security against attack as compared with 
the prior invention. 

This application claims priority of Japanese Patent 
Application Serial No. 10-125086 filed May 7, 1998 and the entire 
disclosure thereof is incorporated herein by reference. 
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What Is Claimed Is: 



1. A cryptographic communication method for communication 
of information from one entity to another entity, using publicly 
available each entity-specific public first keys of the one and 
another entities, comprising: 

causing a center to prepare each entity-specific secret 
second keys based on each entity-specific public first keys 
using a first function and to send the each entity-specific 
secret second keys to the one and another entities respectively, 
the first function having as parameters each entity-specific 
random numbers controlled by the center; 

preparing a third key which is expressed as a second 
function having 2 variables, i.e., the one entity's second key 
and another entity's first key, or the another entity's second 
key and one entity's first key, the third key being shared by the 
one and another entities; 

causing one entity to encrypt a plaintext into a ciphertext 
by using the third key and to transmit it to the another entity; 
and 

causing the another entity to decrypt the ciphertext into 
the original plaintext by using the third key, and 

wherein the first function, and a third function which is 
obtained by substituting the first function for the second 
function and which has the one entity's and another entity's 
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first keys as variables, are set in the below defined non- 
separable function for each respective variable. 

Definition: When a suitable commutative operation is treated 
as 0 and function f (■) satisfies f (x + y) f f (x) Of (y) , the 
function f (■) is non-separable in accordance with the operation 
0. 

2. The cryptographic communication method according to claim 
1, wherein each of said second keys comprises a first secret key, 
which is generated from the each entity-specific first key and a 
symmetric matrix controlled by said center; a second secret key, 
which is generated by multiplying a random number by the first 
secret key; and a third secret key, which is generated on the 
basis of the random number, said center sends the second and 
third secret keys to each entity, and the one entity generates 
the third key using the second and third secret keys and the 
first key of the another entity. 
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3. The cryptographic communication method according to claim 
2, wherein a below shown arithmetic expression is utilized when 
said center generates the first, second and third secret keys. 

■g = T^ (mod L) 
if ~n-xt (mod L) 
yi = g Ti (mod N) 

Provided that 

-Vector v^: First key of entity i 
Vector x i : First secret key of entity i 
Vector s i : Second secret key of entity i 
y i : Third secret key of entity i 
r^: Random number of entity i 
L : L = A. (N) 

N; n = PQ (P, Q are prime numbers) 

T: Symmetric matrix (Each component being relatively 

prime to L) 
g: Maximum generator over N as a modulus 
e: an integer that is relatively prime to L 
A ("): Carmichael function 

4. The cryptographic communication method according to claim 
3, wherein a below shown arithmetic expression is utilized when 
the one entity generates the third key based on the second and 
third secret keys and the first key of the another entity. 
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5. The cryptographic communication method according to 
claim 1, wherein the each entity-specific first key is determined 
by calculating identification information of each entity using a 
hash function. 

6. The cryptographic communication method according to 
claim 2, wherein the each entity-specific first key is determined 
by calculating identification information of each entity using a 
hash function. 

7. The cryptographic communication method according to 
claim 3, wherein the each entity-specific first key is determined 
by calculating identification information of each entity using a 
hash function. 
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8. The cryptographic communication method according to 
claim 4, wherein the each entity-specific first key is determined 
by calculating identification information of each entity using a 
hash function. 
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9. An encryption method to be used by one entity when the 
one entity encrypts a plaintext to a ciphertext and sends it to 
another entity, using publicly available each entity-specific 
public first keys of the one and another entities, comprising: 

causing a center to prepare an entity-specific secret second 
key for the one entity based on the one entity's public first key 
using a first function and to send the entity-specific secret 
second key to the one entity, the first function having as 
parameters each entity-specific random numbers controlled by the 
center ; 

preparing a third key, which is expressed by a second 
function having 2 variables (i.e., the secret second key of the 
one entity and the public first key of the another entity); and 

causing the one entity to encrypt a plaintext into a cipher- 
text by using the third key, and 

wherein the first function, and a third function, which is 
obtained by substituting the first function for the second 
function, and which has the one entity's and the another 
entity's first keys as variables, are set in the below-defined 
non-separable function for each respective variable. 

Definition: When a suitable commutative operation is treated 
as O and function f (-) satisfies f (x + y) f (x) O f (y) , the 
function f (■) is non-separable in accordance with the operation 
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10. A cryptographic communication system using publicly 
available each entity-specific public first keys, comprising: 

a center, which prepares and sends an each entity-specific 
secret second key to each entity, the center preparing the each 
entity-specific secret second keys from each entity-specific 
public first keys using a first function, the first function 
having as parameters each entity-specific random numbers 
controlled by the center; and 

a plurality of entities, one entity of which encrypts a 
plaintext into a ciphertext using a third key and transmits it 
to another entity among the plurality of entities, and the 
another entity of which receives the ciphertext decrypts the 
ciphertext into the original plaintext using the third key, the 
one and another entities determining the mutual third key that 
is expressed by a second function in accordance with 2 variables 
(i.e., the second key of the one entity and the first key of the 
another entity, or the second key of the another entity and the 
first key of the one entity), and 

wherein the first function, and a third function, which is 
obtained by substituting the first function for the second 
function, and which has the one entity's and the another 
entity's first keys as variables, are set in the below defined 
non-separable function for each respective variable. 

Definition: When a suitable commutative operation is treated 
as 0 and function f (') satisfies f (x + y) t f (x) O f (y) , the 
function f (■) is non-separable in accordance with the operation 
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11. The cryptographic communication system according to 
claim 10, wherein each of said second keys comprises a first 
secret key, a second secret key, and a third secret key, and said 
center comprises means for calculating the first secret key from 
each entity-specific first key and a symmetric matrix controlled 
by said center, means for calculating the second secret key by 
multiplying the first secret key by a random number and means for 
calculating the third secret key on the basis of the random 
number, and sends the calculated second and third secret keys to 
each entity. 

12. The cryptographic communication system according to 
claim 11, wherein each of said entities includes means for 
calculating the third key from the second and third secret keys 
sent from the center and the first key of the communicating 
entity. 
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CRYPTOGRAPH I C COMMUNICATION METHOD AND ENCRYPTION METHOD 
AND CRYPTOGRAPHIC COMMUNICATION SYSTEM 



ABSTRACT OF THE DISCLOSURE 

A method for cryptographic communication between two 
entities. A center prepares each entity-specific secret second 
keys based on publicly available each entity-specific public 
first keys using a first function and sends the each entity- 
specific secret second keys to the two entities respectively. 
The first function has as parameters each entity-specific random 
numbers controlled by the center. A third key is prepared which 
is expressed as a second function having 2 variables, i.e., one 
entity's second key and another entity's first key, or another 
entity's second key and one entity's first key. The third key is 
shared by the two entities. The one entity encrypts a plain- 
text into a ciphertext by using the third key and to transmit it 
to another entity. Another entity decrypts the ciphertext into 
the original plaintext by also using the third key. The first 
function, and a third function which is obtained by substituting 
the first function for the second function and which has the one 
entity's and another entity's first keys as variables, are set 
in the below defined non-separable function for each respective 
variable. Definition: When a suitable commutative operation is 
treated as O and function f(-) satisfies f(x + y) ^ f(x) 0 f(y), 
the function f(-) is non-separable in accordance with the 
operation O. 
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(57) 

* - * t>m^t a z <t & < s±t£ 
ffSttTKivsfR© 1 d-n 1 Kstcfcsa&saHtaai 

>*1 lETi^*?*©*! ©ftfrSlgl ©H»fcT 
S) i* S#©£2©8aiflfS¥©3Sl©8©23HME 

y-rlBl;:£*rt33S3©a tifi^fiU -fey 

<fc LfeS 1 ©laat. Sr2©HRtcSSl©|!8l»:&ttAL 




(2) 



mmW- 1 1 -3 1 77 3 3 



-tr y $ if a 3£ft * nftgx v x -r x -r maos&sm t a 

ffe£cDi>7V?< tffi££nftl^££HuSB^>£fr 
63S«4*lfe«iVx^ ?-f @«fl)»flSat 4iH*ftft 
1MB— ^©XVir-f 0)afflat*5pJffl LT7U©¥3: 

com 1 ©MfrS*1 <OH»H:Zt0f3-b>*7*i66n 

n 2 ©at % g#©n 2 ©aazf ffl^cDm 1 ©si© 2 g 

x-f ih w§ft Lfcfii»©afB*ff5 ctiu tuiB-fe 
v$tf^rs#xv5^x*BMr©SLR*/t5*-* 

t Lfcm 1 wmmt. m 1 <mmm 1 ©h»*«a. l 
: aaft^»&wffi*ot lt, sua f ( • ) # f 

(x+y)*f (x)Of (y) 5£3Sfeta#(£. HSR 
[W12] ff£B$2©a& Sxv?-rx-fSW© 

si 1 <mtm&>*&w£T%mbfT9itira£m2 
nsfgiswMit. sgi»?Ba(j:au»®in:TSRii*h 
%S2ieffia^ ^(E»^T£$s*i5»38ffia 
t*^*. iufB-tz>^^mLfcm2^ffi^aw : ig3ffi 
as»&*x>'7 i -f?-<iEjSS#u -s©ivT-f7-fic 

Ts £288^^11 3 SMiffl£©x>?*^© 
BH*J13] |8tBfcV*fc*»tt*SSl8HB«, Sf2& 

t»i] _^ 

5? = T"^ (modi) 



* = Ti - xt (mod L) 



IU 

-^^hJbv i : x>^-f i ©Sg1 ©H 
^h;bxi : i>7-fT-f i ©IglSSffi® 

yi : x>x-f x-f i ©Sg3fcB5&H 
r i : xvx-i-x-f i©5Li£ 
L : L = A (N) 
N : N = PQ (P, Qltmm 

g : N*3£trs«**fiES 
e : L £EW=JR*S» 
A (•) : CannichaellHIife 

[11*541 -^©XV^TVfcfc^T^afffla 

atns 3 iSitffi^i>T -< ?v ©sg 1 <omt ics 

-SHrSf 3 ©aSftBEf 5IK©ailt3CH*tT"!»a5« C t s 
1#«trsfl«S3l3«©B8^S1B3&ffi. 
[Si 2] 



"3! "is 



. ..OH'** 



yi = g ri * (rood N) 



= Vi' 
3 g r i 



= 5 TVj (mod JV) 

©£1 ©B**ttSEi£13f&i-f ~4©fl3 

?-f@^©|gffia*36WU xVy-ry-ftflOIS-trV* 
SStt^ftfcKx V^-r ?-f @£©ffiffi££¥Jffi LT 

nfc^xVx-rx-O^H^atx ffeB-feV^ET 
xv^-f ©SSI ©SHfSS! ©Bi»lcT*i&6*i* 
fixv^-fr-fSW©^©^©^* B^tt^x 



(3) 



SH¥1 1-317733 



#I>7Y7^©S1 ©H© 2g|«e: J;Slg 2 ©Ba»T 

<fc#ffiJ3LT. ¥S*iW*toiWft:-r«z:t4:U 15 
BS-fz>£ tfWSf S &x >x -f t 1 -f @£ ©SLK*/ ^ * 

Lftm 1 oDsaat » m 2 ommcm 1 ©»»*« 

H3roHgfe££, *ft-e*i©S»fc-3^TTI3fc£i** 

^7J-S a 

(x + y) *f (x) Of (y) «Slft-r»&l=s B3R 
f (•) ttK3KDfc*y»«*WP*5. 

firsts, entsftftjf^xssosFXta^ 
vt 1 -!-^ ©a^smi ©si»icj:y*iv 

r^T^S£©IB&©$2©£:&$A6£-t!;/$£, g# 

©m 2 commmmmvm 1 ©gi© zkrie *«si2 

5PStEffl^«« 3 ©gl£:R46S}ii5[© 
2 ©BBKldH 1 ©Bi»*ffiALT»5*i3, 
f ^< & LT£S £ <t ^#^<t T SBf ^ilft->7.7 1 i> 0 

£ig : iaaaRrfta»aeot lt, sa» f ( • ) # f 

(x + y) *f (x) Of (y) *3tft-ra&t=, BSK 

f (•) ttsaotcfcy^BPFRrti-pasa. 
[fft$£8] ms£2<Bmis %m*m, £2®» 

>f @^©»1 ©ffltluBa^>4f#9S-r5*l«i*75!It** 

sig 1 mmmmmtttrnt. m 1 ^mcaist^m 
Lft c t t rsiiass 7 iefg©Bg^inr>x 

[11*89] fufB&XVT^TVti, fi|K-feV*frS 

^*ftftm2ffiffiaatf»3»!Baita^ffl#©s 1 

t f SIB $M 8 f BK©Bg€®fl'>Xx 

[0001] 

[§src©Ji-f ssiffi#s] *bib(4, fijffi©fi«3E?a* 

#JK#lEttfcfr5ft^«fc5fc^*^tLTa«T3 



[0 0 0 2] 

lis avifa-*** h7-**affl£LTv tf-^*X 
jiJim#nTfi&a*ti§ 0 d©J;^fem?1f?Eti, §a 
HTSS 1 l^ttKff S y . flRE&^HStf 

10 tfa-**-yh^-^©^3H%fifilffl<ba^©lliClE 
=FRTi?7*5ffv i!ft[±Ma»£f?S©fi!$E«£©fHS<!:[* 
*Jif«H«*^A/WS. C©«fc5ft*JB4»)g-r5 

fei6©waa*at ltv as©51£©es&±£ t lt 

So 

[0 0 0 3] BfrSttt, ffi&OftStfSmKttKlill 
l^T. KlT"&Ji»T*57E©£ =£mH#tu(iS 

20 sy, (&^s*¥S»Esrcti?a*?sy» c 

©lfi^bfc«^£©^e**£ttTlit#£A:P?-5. Pg 
#fc©fflg»tJP»3©ia«fcH:, *h*WS3fc«J5ttF 

4*©*tflB*S*«[^#* Bf^^[cJ:oTtf$E©^ 

[0 0 0 4] P&f§fta£«*§«£tts 9L<TfeS^ 
L, I4otl' l T i EilL\ Pi#©a£WSL^Ii|^»tt. 

30 ES (Data Encryption Standards) ^©ftM^S 

s„ sfc, pB*©a<jtaftsi«g§s©-eiJt lt, ana 

5Bg^TSSo iiEBPS^R-Ctt. ^©-^t^SBg 

1 1= j: -a tbs^i» sa-^isw y tfji±ftf t # 

40 [0005] iisawt?^ Bg^fta*45ii-rst^ 
5iij(B«ftiis#3STSoT* asisanta^©«fttei& 
s4±5ELft3-o©sjRi«:a^-rst,©-?&yv mm 

tTfctis ft^^^^rfiaPf ^Rfc LT R S AP&^3&jS«ffl 
S^n/co C©RSABt%JS{±. -SlRlffiBiBtt'LTIR 
HKaSCBHSfcWELTiiSiStiT^S.,- 4ft, SI 
S»5l«BaiS*»<Ct©B!ll* GSHW*3SBa® ^*Uffl 
Lfe4JWaiS^S'fcffl'<f©¥aMi { SB!B*ftT#fc. 
[0 0 0 6] 4fc, Sx>x<7 1 -i'©fiRfi, B&WOM- 

50 A*ss-rs 1 d (identity) ffi&mmt%&%m& 



(4) 



&m¥- 1 1 -3 1 7 7 33 



M&mgfiiT'O^ffiwmitxmtTZttt. (2) eg 

r^ttttf&Z* mz. (2) ©^jSliiHiiHitf* 
M7253©T\ x>W^©fy«14tfjS<, &3£©Pg 

[0007] Z.V {2) a&mz&zw&tot* 1D- 

NIKS (ID-based non- interactive key sharing sch 10 
erae)iP¥l£ftTfcy, ilflffl^© I Dlf ^JH^H 

z t ft < Pt^f bSi£KWT s^iKsm lt 

ID-NIKSB, &S#£ia?£ll8. SOS 
SSSSf S&Hff* < , * ftil© U X J-atfSHifK: «fc 

3-9— extant usutfawj, fflfcoiVT 1 * 

[0 0 0 8] IH1 3tt. £© I D-N I KS©v-7.5\k 

U E©*>***toiELTft1i«^5>xy/ve«Jfc 
LTl/^. ill 1 tcfet^Ts xVx-i-tVXCD&siu ft 2D 
ffi, W8SSWDI DflHitt* /\y5/iil»h (•) =& 
fflt^Th (i Dx ) T*^"f= ■te;y$U±ffii©x>-r--f7 L 
^XtotfLT. -feV^iiBflflHB {PCi } , -fe^ffi* 
iffg {SCi } atfxVx^TVX© I DiffBh (ID 
x ) KS^Tv fitT©«t5(E«H6fllfflSxiStf«U 
»fl9BEi>f-f x-f X'vKfc't*. 
Sxi =Fi ( {SO } , {PCi}, h ( I Dx ) ) 
[0 0 0 9] XV7 1 -<7 1 -i'Xliffe©ffijiC0XV7 1 Y7 ; -i' 

{PCi } Rtfffl^&DXVy-fX'fY©! Dffi^gh 
(I Dv ) *ffl^TJUT©<fc5KSffif«. 
Km = f ( {Sxi} , {PCi}, h ( I Dv ) ) 

2£fi«Kw*&iM-5. t,US(cKw = Kw©liflR3Ei«fl6 
£©HKxy, Kvx^xyx-rx-f X, YfflT 

[0 0 10] ±&LfcfilffiBW^SW& GUtfRSA 
P^&©«£fc*©fira«©S3tt8£©SiS#^©+ 

swgtfcy* wtozimc&z* cnic^Lz, id- « 
ettw. cfl)*»*#s!aLTffli<DxvT-f5 i -fi:©pa 

3" J; 5ft I D-N I K5©^X7^#££lE^**i:ft. 

tc J: U . ID-NIK S tfig*©PS§3R©f j&tcftS t 
[00 11] 

[siwffBftLi^frsKsi alga*© i ommz so 



bi/>tmwi*?*3 c 1 ft < umag&tf&Hte ft 

5£1iffl*ElHEttrr3J:3ft I D-N I KStcfe-a 
Ttt* ^©x>7V5V©teffi^SfiWi:i*LT+» 

5ft 1 d-n 1 KSKfcuvrii* ^m^mt^tiT. 

I D-N I KS*«HS7f*«3£«5iMis SJgfit 

[0 0 12] E©«fc3fttt3K£*oT* *«HI#W\ S 

Wca^l D-N I KS©B&^*S*lSSLTf3 (ft 
M¥9 - 8 9 7 2^) . E©*3!CHU «3^-««^aa 

Hiaa*»i!PFRraiS:iia t Lfcfta*# u c©ftm 

[0 0 13] LfrLfttfS. C© I D-N 1 KS©B£^§- 
SSTtis #&ftfg|fc (P = 2pq + 1 (p, q 

ttma ?s*n33S»p) sjB^s&Etffcs, c© 

MA ^->Xx^±©Slt© i E&JSiWft^ c t 
ttfti,\ Sfts SK^©*J«3BS2SjS©W-l(X?y^€- 

asattstffts-r. ^©^^©spgTfiKii-raws/ift 
3WK£#§a LftL^ t itm^nit\ imz&wt 
\,\ c©Bg§3&SKi* % c©j;5ftr P m^fey, st# 

©^i&fi 5 **. 

[0014] *a^(±»ffrs*fliica*T**nft'fi.© 
■psyi>?-i'^tftSKLTt.-i*>*©ffiffi/^^- 

46TSIWI D-N I KSlE«fcSBf^aHi2rS&tf 

^afi~> x x A^^Ta c t * a « t r 

[0 0 15] *^©fte©g^i, itffl©l#B¥9-8 
9 7 2^©aafcfettSFi3Bj5£S»LT ; t©*5S : £S[ 

au isit©gs^*S46. j:yffi^tt*js<?*aie 

[00 16] 

rai!a*»a-r*fti6©#sa wa»si ie«5^i§ 

■t£>$!^5Sx>^'f7 L -i"N#x>7 ; - 1 '7 1 'f!il 
Wffl*8«a*3aSWU -*©x>xi'7 1 '<A ; !tulH-tz>'Sf 

5 an** tiftsx y x ^ 7 1 -r @ w© sffisi t ism #n 

ftffe^OX^T 1 ^ x-f ©ilFJMt =&?'Jm LT¥S^Bg^ 

Zftft&x.yn t<< @W©fflffiSlt ^M^nfcBylB— 
^©x>x-r ©SJBiat®* I] ft LT76©¥S:i<:ffi^ 

t^ci^y, xv?^?-ria-?Mtit©i»i*ff3iii 

^iifiS;S^e^Tv tttaSFjIlli: LT©4iffl*hfe# 



(5) 



1 1 -3 1 77 3 3 



<©a#S3n©HaKTitlfiB*>*T?^SftS» IfflB 

t s g#com 2.0aaif*B#o* i amto 2 msm*.* 
fisi^rr «s 3 lt\ x vy-r ure . 

%.m : ssftRriftfcitsfcOfc lt, mm f ( • ) an 
u+y) *f (x) of (y) ^mtctm^ mm 

[0017] lt$8 2 K&Slig39@££& St 5fSSt 1 

^35k tufiB-fe V * t±£ft LfcSg 2 »ffi8&tft£ 3 ffiffitt 
£ 2 3 ffiffltt t«C&OX>y -f ^-f 1 

[001s] n^S3^%Pt^i@^U:« K*S2 

icfci^ iaiB-fc>*fcfctt*£ 1 m2»ffia 

[0 0 19] 30 
OR 3] ^ 

3? = T^ (modi) 



j? = TV - 5? (mod i) 



IN = g r< (mod JV) 
[0 0 2 0] fiU 

^ hjUxi : xy^^^-*- i ©&1$&®8I 

^h/Uss : ivr-fr-r i £D^2$a®2i 

yi : x>7--f7--f i £>^3S5&M 

r i :iV7-ff-f i 

L : L = A (N) 

N : N = PQ (P. Qimm.) 

— g : mfctt %m±£i&7i 



* (•) : CarmichaelFsllSE 

[0021] fiS$£4fcft3ll34§ji1g«£ttt mats 3 
fcfeVT, ?-f lcfe^T*2*MMB6lF 

[0022] 




s / WiT * J " (mod JV) 

[0023] n $5 5 te^^ps^afi^t*. mm 1 
•y 'y=Lmmnm LTttirrs c t k * u * ti>r< 

[0 0 2 4] ffi^6fc«3B&^tb*Sfcl\ ■feVSfrS 

SBS^flS&SSlEfc^T* iiP4+lfc=S-X>7 1 -i' 
G9Hieo@i:s lulB-trV^^TXVx-f <7>gt 

^cDm2£o^ts ^fc-r§x>-r<7 i ^ga'CDm2co 
@arj=^s:to^5feT'S§ffl#xvx<7 i <^iii to 

a©2SK(EJ:Sm2fl!)Ria7a4ih* ¥^SS^XtE 
BS^fbr5H5l!:ffi^SS3(Dat*ffiffiLTv 

iB2ffliiaicmioiia*ffiALT^6fts, 
stf ®m 1 ©«*£atrssi 3 ©sat*. **i 



(6) 



SIMM 1 -3 1 77 33 



lessor sctsitatt-s. 

[0 0 2 5] H3i«7ieffi5BeSiHs5'*yZ*[i, 1tlg 
1 flDOlr&mi ©KIWEJiy&xv^TVSWflDS* 

Ete£8*h«#«*RrffiftHRi-f ft LT553 c 
[0 0 2 6] ffi&58 [r^SPt^ffifte/XxAii. gf£ 20 

em 1 »sa*9t-»r3^®ts «i®BSBcaus«ai 



««Lfce:i:**i«i:-t5. 

[0027] m?m9izmz>vB ! mm*sxTixte. its 
gftsnftm 2 3 fc&^gttsfi*!* i 

in. 

[0 0 2 8] BIT* *SE<DS&§«<B*Sfca5W-S I D 
[0 0 2 9] g=*\ IBB<D«BSc*-!KftLT» »Efc 

sotLTx Bi»f (•) ^oiiaassifc-ra^ 

f (x + y) =f Cx) Of (y) 

ffllAtf, f (x) =ax. f (x) = a* I*. UTiEa* 

f (x + y) =a (x + y) =ax+ay=f (x) + 
f (y) 

f (x + y) =a»» = a* ■ a* =f (x) • f 

(y) 

[0 0 3 0] *fe» m]f^%mmoyms0ts jsit© 

•fcSlEfS. iU £ft5"JA, b, ctt*ft*nmx 
I, I Xn, mX nCDfi^Jtf ^= 
[003 1] 
[Ht5] 
C = A B % 



es 7 - = JJau'« (i = l,2,... f nx, j = l,2,... 



n) 



[0 0 3 2] fr5"J©*BE»CtKa*i:Sa»* 

ja-FOcfcoiEsats. fiu *ff5UA, b. ci± 

m x n fcf 3. fTBl ©J84MIC = A * B £ N 
c u = au bij (i =1 , 2, -, m, j = 1 , 
2, n) 

[0 0 3 3] UtV&oKimK&V, -WTOttStffig 

wo. eu t ttf55i]oeii**i*-r«. 

[0 0 3 4] 

[Site] 



2. (A*) C =A*C 

3. (A B ) C = A (B^) 

4. (A*B) C = A C *B C 

5. A( B + C )=A B *A C 



[0 0 3 5] 

ft-m&^is. I D- 

#^fS 0 ©Li. 



I D-N 1 KS%$mtZ>Tz#)(D$k 
j, y&tfzteXV^-f 



(7) 
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11 

ttx^x-rx-f i©ifMt (^f*if;&©iSHCDff?24) 
i) s Kij [iiVx-fx-r i tfSia&fciVx-ry.r j £ 

[0 0 3 6] I D — N I K S**JRT3fca&H:fcl\ J-XT 
(Dgfett 1 - 3 CD 3 -3<D*fl=/JWPa5S. 

[0037] efeffi (sffiaasiitt) ] -bv^tt, 

ft$&£i$65&f (•) (^IfSroSH©^ 1 OH 

50 £ffl^Tv iVt^t^ iO&Havi ttBitf&t 10 

51 =f (VI ) 

[0 0 3 8] [£#2 (R*r8£££ft) ] 

H&g (•) Qfflm&(Mmfoi&2<Dmc> 

K u = g ( s i , v j ) 

[0 0 3 9] (gtft££tt) j X>t^t^ i 

jfj^xvxi-x-f j (ca*LT**r5ftiaKu <t, x> 

Ku =Kji 

(•) sffixLTffsns. iisasvi , vj saafc 
■r«ft^siaHBi»F- (•) (^itit^®H(7>m3^ 

F (v i , vj ) =F (vj , vi ) 
iU 

F (vi , Vj ) =g ( f (vi ) , vj ) =g -Cs 

i , VJ ) 30 

[0 040] affltOXV^^'T'-fflDefESSlEjtf 
LT££& I D-N I KS*ffiflrrSfe46(Etts WTO 

sfefl=4'-6«stft-i*Hra^. 
[0041] c^ff4 dsK^-r$8»esEa>£^ 

14) ] im&SBIftf (•) ttv WTKS-TJ:5K» 

f (x + y) *f (x) Of Cy) 

2A©XV5 1 <7 1 -r i , jOltfSSIsi , sj lElJ; 
**SIE3S*IE Jt y , flficox > x -fr-fz GftMHB s z # 40 

Xtozn. mznzLZoo mz\& v 2 = Vi +vj 
trnt-fttcmsiz, mms\ , sj zmmLzm 

If, W*ffl)J:3lELTv xvx-fx-f zOSSSSsz * 

Sz =f (Vz ) 

= f (Vi + vj ) 

= f (vi ) Of (vj ) 

= s, Osj 

[0042] m*5 (.&mzmzmm(D ! ££ 



12 

F (a, x + y) *F (a, x) OF (a, y) 
F (x + y, a) *F (x, a) OF (y, a) 

Aw&fiM&F (■) t\ fftimmm&%z& 

7\ vz =vi +vj ££*fl5S^fcI& Kiy (=g 
(Si , Vy ) =F (vs , Vy ) ) JKFKjy {= g 

(sj . v, ) =f (vj , v, ) ) mffiLxm 

tiU JMTffl*3KLTs x>r-fx-ry. z|Q(D^g9l 

Kyz = F (Vy , Vz ) 

= F (Vy , V i +Vj ) 

= F (Vy , VI ) OF (Vy , Vj ) 

= F (Vi , Vy ) OF (VJ , Vy ) 

= KiyOKjy 

[0 0 4 3] E<0*fF5[*#g(EltSL<* it*©f+3tK 

sK«-i?i4fi^Ta^ct*afftr«c fiOjtt& amis) 

I D-N I KSSfett^SllIU D-N I KSI4CO* 

[00441 &#6 (■bv^SHSsose^ia) ] 

[0 0 4 5] ★SlH'Ftt, ftB£Pttl;:g3<DlSg[ (£ 
&8£iBHK) *»UPFRlffiJS:lii»Kia!gr* 
5) fcS(E, SxVr-rx-fBWflDaffltOiiBte/^/ 

mm.) zfim^mrmmmfetz (*ft4) . *is 

ffl?t*s CO«fc3ft»SSPFRTffi4Blifc©1#atv RS A 

ft<TSBW)aajg3S t 5is<* wivf-fTYtf^s 

US 3 ©St Jfe^ttSfffiXxyytflSPS-^ 
[0046] 

■b>^ 1 tffS£*ftT33tr; 1 t LTtt» 

Vf-ff-fa, b, zi:t±^SSailK2a, 2 b, 

2b, ■», 2z^LT-tzy^1^e^ffl^1ff6^§ 
IVr.fT-fa, b, -, z^S^ft^cfc-SK&^T 
^5. Sfc. 2A©x>5 1 -i'7 1 -r'a)F^^tt3i^iE&3ab, 
3az, 3bz, -tfSSttSnTteyx C0®{fES3ab, 3 
az, 3bz, -*^tTaS«ffl€^bLfi:PS^StfS: 
l^©x >x -f t 1 -1- HT-e^n§ J: 5 left -3 T B 
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[0 0 4 7] IXTKv *fflft<D\ D-N I KS$>mfeV> 

n n=pq 

e L£SWEffifcJt««/h;!rfcfiR 
*iS®gt P. Q 

L L=A (N) 

g N«atT5ft*^7E 



[0 0 4 8] (-trv* 1 T'©¥«jaiS) -fe>£ 1 ttttT 



[0 0 4 9] fiU A (*) HCarmichaelllK^-rs. 
* tes iVT^f-fiOID fltfBfr 6 n ^TcO&BflSI^^ 

M/v (^SH^cdIbHG)^ 1 ©a) fcitHTsfca*© 
/vy3/alH»h (•) fcilBiKiiMTSo AyfifflS 

=£tHILfc«£lEs ^JJflDBtfetftSJi^lc-rs. 
BP^ JStTCatfJSEUStOo fiU v Ml/ vi 

fiS^-? h;l/^feSJS-&tct±Scha Ikwijk7'/l/=fLlX££JS 

ivntfja^u .-kkkei** (n - 1 ) 

[0 050] 
G»7] 

[0051] (xvx-fx-rwgssas) x>y-f7 : -f 
i ica»*flaa*nft-fe>* i a, PffiLrcH^xvx 

-f^-f i©4iBI«^^h^vi (=h.(lDi))t* 
JS^TttTflDfW&froT* x>x-<x-f i £K<7 f-jU 



[00 52] 
HS81 

1. 5f*#»a. 

xt = T* (mod L) 

2. i fc2W=SRfc&Rri ZMV, It 

~st = n-xt (mod L) 

j« = (mod J/) 

[00 53] (X Vr-f tV Ra®£^®£j£&® X 
yf-fT-i' i tt„ xvx-rx-r j £©»3*&*fT5fca& 

sxr<z>£? itmm&mmt* e matr s-r c t ic 

[0 0 5 4] 
[»9l 
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50 



15 



ffllfr 11-317733 

16 




[0 0 5 5] Mt, ±aiLfcB§^->7.7 ; ^Cj3W^X> 

-f^-f'b'VfSgL, iVf-fr-T bi^CPS^C^S 
(35^ (>cy-fcr-i/") mzm^t^m^niLX^. 

[0 0 5 6] XV^-rx'T affldtEtt,, xy^x-r btO : 
fflAMSlffitfSI Db £AfcU /\'y->aH»€?JfflLT 
^ hJl/vh &£3£6H8£JiE8*1 1 <tv -fe 

^TiVr^r-f a tfatda-Sxyx-f^-r b t(D2&M 
[0 0 5 7] *fe xy^^x-fbfjtEti, I>T-fT 

g Hi/ v . (&bbs) esaaBaa^as 2 1 

SJB^TiHBB 3 0 A % SA7] UfclS^XC v 
■fe— ■ Mtcffi*LTUi*-r«tS^S2 3 4:3BHiS^.6n 
TO'*. 

[0 0 5 81 H3& Si2iO±tWaS^§Sl 2 (2 2) 
©rta«MS*^TiaT»6S. 1 2 (2 2) 



a, 1 ^eas-fts'** h;i/s=&iEis-r^mi u 

5>X*4 1 t, ^ h/UsO*J«»*i3lE , raS2 \s*J 
XZ4 2t. -b>*1iJ*62l6ti«y*IB»fsm3U 
3?X*4 3t» £H££j£g1 1 (2 1) fr5£Sft« 
"C* h;UvS1Bttt3S4 U5*X* 4 4 HUv 

<D&j3s»efafiT3S 5 45t, g^sstN «ib 

«-f5S6U5;**4 6fc. S2, S3. Sf£5. 1£6b 
v f X£42, 44, 45, 4 605iii±l£ffl^7\ &9 

[0 0 5 9] »[E, »^("^TPfit5„ XVx-fT 1 

^ £*\ XVx-rx-f b©ffllAa»J1fai Db tffiK 

^fisasi 1 izxtisnr^ HUvh &m tffs 

5*U ftSftft'** HWb ^ttW^fiKSffl 

HUs. Slfy. ff&€8±J$Sg1 2^A7J*tia 0 11 

3 Ks?-r«fi8e«r aswasaas 1 2 kt. a 9 

oTft^llKab tfjRa&6*U BS^fcBI 3^6*1*. 

[0060] aftss3 o*esisftfcf«^xc(ix>T' 

47-<fbatfS&&2 3"vA73**l3., X>"T'-f 7 1 Y a CD 
f@AMS'JtS$E 1 Da #£Bia£jiggg2 1 KA7J*ftT^ 

ff« ; ss4j5)6§ff2 2^5na 0 sfe. *v*i#5» 

fi8S2 2^X73*^15- H3lESVf8Wl**lf«£1iiI 
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[0 06 1] 3S5tE» C<7)J:aft*SSfll©ll&§3Sff»- iffiS 
Lfc I D-D I KSOS&Itt (*ff1-v*ff3) STJI 
D-D I KS©££f£ (£tt4~*fl=6) mtctZt 

[oo62] efefM fcoi^r) sm&SHSk f 
j:5iE^e*n. coim£aiaRf to 

[0 063] 

BBE10] _^ 

/ r; (l?) = r^T* (raodX) 

[0 0 6 4] (&VrHz-ovT) t&m&msLg ■ 

[0 06 5] 
[» 1 1 ] 

= (modJV) 

[0 0 6 6] m*3lZWT) mWAffiMl&F 

SfMiarefcoT* Hi/^oxs/T^x-fffSj&rss*! 

[O 0 6 7] 
BS12] 



[0 0 6 8] CfcfMtE^T) S 

(■) ti, WTtt^J:5lE, /^p<— 5r*B£-r*i 

r ©ffltf&xyy-r x-rStegS^TVS© 
T\ tim±J$B8ttf CO tt»BPFRlfilftB®llr!'6 
3. 

[0069] 

[»1 3] 

= tT^ * rT^ 

[0 0 7 0] m7ii£s ^ HWx =^<? Hl/v i +^ 
<7i-)[/vj ©*§•&, ^h/Uxx s^;>7 h;Ux i *^ 

EftLT^S©'?* ^HUs* s^WUsi 
M/sj ift.5f\ fflAS«?»*^h;Usx , ^ 

[007 11 5 (E-3^T) ££3£l*IHgjt F 

(O I*, eiT©a-^*n«j:oiE, »«PFRrig4Ba 
HSit»fijai:s^< smart,, ftew*5i>7 

[0 0 7 2] 
[»1 4] 
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= 5 



50 
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[0 073] Gfett6K-3^T) ■fe>*8«S (P, Q, 
L, g, n SIFT) It. £»©i;>5 l -f y-rjEHSKL 
TfcSSLftfo -b>*l8«a)*©P. Q, L, g, & 

P, Q, L : SEi!t#gE©iiL£ 
g : ri $HKJ:3££1£ 

r i : Gmtttt*mmmami>z 

[0 0 7 4] 3UE, -feV^iBBfiajTrofi^ttfc-^T 

[0 0 7 5] *5Sfflfl)ie§35afl!)»#s -t!>*8H»ff8l 
TcDn (n + 1) /2fi©^>£$ffi^i&lE;tojt. Stc 

{n (n + 1) /2+m} ffitft*. C 
©*SSs ffifcOAKOXvy-fx-fiMSKLTti* -tr> 

=PRrffi?fe33a*, J6ftAa«fc5M*T3fflllf *. 
[0 0 7 6] (nA^CDXV^-r^-rA^Sft-r^li ac 

SfcftftS©»*±laI«©?* -tr>^eSS?JT=£^<c: 

[0 0 7 7] (nA©x>^7 1 .i'tf*£ffiT£i§-£-) n 

+ D/2+ (n-1) } ffl©S8J13aa:45Sff£6*i 
3, -bV*fi«Ha»[4 {n (n + 1) /2 + n> 

<st?s3©t*» a^ftfta©»tffc>*8HB£»©a 
j: y 1 1 o'j>&<&y, -{2>^8ffifi5"jTa:»iJ-SL\ 

[0 078] ( (n + 1) A©X>-rf ^-rtf^R^ a 
Jg&) nA0)^(EJt^T«fftlE1o©fflA8WSU»tf 

7£W--?&3©?\ nA©«SKT«ttfctfW& (n + 

[007 9] fiLbfcy, (n + 2) Ai-X±©x>7 ; -^'7 : - 
.<J^J ^ ^Si6L-C^ ) , MMflWtc «K-&iga©»{i*Jai^!c 

©s*y 1 -pfiLh^a^©^ «©^ffi*us< c t» 
^patays «<cti*MU\ hie. s^el* 

frSfti/WSfciot, E+l(*RSAl9^*lSl«i:t 
[E^Ll\ 

[0 0 8 0] Sfc fcUEfc£HS*«<C£ft<n!P] 
Sft*i& a»Lfcl/»i>?-r tV©"? 
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RSAJS^*lftSCtK«L<&S. 
[0 0 8 1] fei±©cfc5tELTs *^©Bf^iCe 

a, -b^^sisffjijT /Mgreaastesj lts^t-s* t 

[0 0 8 2] C fiAB#*Ktt3J§#fcffiAa» 

aft«!l(c-3^TSiffl'rSo 111 4 14. fflASL*M**-3\ 
5A©l>x^-rtfiSaLfe«£«aVr. 04[E;jVf 
<fc5fc, 5x5©fr5yTH:SiaifT5«Jl»S5©7». fiE#© 

»«i sffl^ss. sft. H4it^-rcfcdtc. im 
33Laaa©»i*5+4+3 + 2 + i = i sta« 8 

T* *JPlSt©i@Sci^fi?^3ia5e©il!t<t6 ; <-Sc-rsfc 
(Eft 

[0 0 8 3] 111514. fflA&R*RW\ 5A©x 
vf-fT-ftf^RLfti^fvto fflASL&t>-fe>£l 

$i]Tg|3K©l 5ffiiftRft*©5fflfc©£tt2 0ffl-«5 

5+4+3 + 2=1 9<tS:«c =fc^T. $&ft©ffi|g!c# 

&}&!b&&£©g[<f: y # < fc^fcfe. m< c t 3E?t* 
1\ *>*i©fM&tfSta6S:h.*i.\ @Gkv £©*!£- 

[0 0 8 4] *IE, *»«©l«rag^{c£H-3£Mg 

fiaeo^TiKB-rs. @7, B8(E£i©»ii«y (&m 
W<v h;i/v©fiK^2fitTfey. 2A©x>xf x-r 
i , j fi»#8l1-3JI#) S*\ 1 tc 

T, 17 (a) £*Vf cfc^Ks &61SI (N, e) »tfS& 
o mm (P. Q, L, g, T, ri . rj ) *«3&r5. 

ft^Hl/vi , vj=&W-gLT. H7 (b) ©J:5tE 
sS^-T^o E©*5ftKJ£asfWES-3l/^ =&x>x-r 
r-f i, j © r i ' e , rj - e **4&5fc07 (c) ©<fc 

Si , yi Rrftfcfi«Ku**«>Si:B8 (a) tEg^f 
i^tE&y. PH$lE» X^T'^^-f j (Efett^^-? h/l/ 
sj , yj atf*^aKji**4&StH8 (b) lE^t 

m [0085]i!9~i!12tEm2 ©IStM^J (SJHa^ 
h;I/v©j$5^$1i?sys 3A©i>T-fT-r I , 

T, MS (a) [E^-rJ;9tE. (N, e) Rtf® 

(P, Q, L, g, T, r i , rj , rn ) £f££ 
fS. $fc. &i>7^r^ i , j, k©LDte£-5< 
$fi©iir?3SI^ hJl/Vi , vj , vk Slt^tTx 0 
9 (b) ©«£5EKJ&fS. ^©cfcdSIS^#(E*^ 
U^Ts HVT-fx-f i , j, k©ri" e , rj- e , r 
k ^-S^HI/sr , sj , sk Rtfyi , yj , yk 
so *&4&3£IS9 (c) ©4:5^^5= ^LT. x^x-r 
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r-f i, jH<DftWaKu=Kju iVt^ty i , k 
Kjk =Kkj(±, ^-n^n, 01 0, SI 1, HI 2(D£ 
[0 086] 

Ltc I D-N I KS *Sa-r3fci6fl!) 3 OOfcffi&tf* 

[0 0 8 7] ^M05=t5{C^^<7)mS)t^46 
¥ffll LTfe < &Stfft < ft -d TfSltO S fiSjEPB < ft 

[a i ] *^BicDPi^iifi->7.7 i ^©*i^s^-r^scii 

[BE 2] 2A©iV^?^IHfc£tt3fM0aitt8g 
m 3 ] 0 2 <9ft^gt3= J^©flg|!iM£^Tr0T*£ 
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[@4i fiAa»*saw4^a&<o-b>5iT«fl!)»ffi©fi 

[05] fflA^*IMtfci§£©*>*Wffiffi©££ 

[H6] *«w©fi^tt*a-r»ffifi9*sriaT*s ( , 

[El 7 ] *£giQ>$ 1 flCHBEffifflPSeS-f H-PSS. 

[08] it&iyiom 1 o»fflfiyss-r@?ss. 

[HI 9] .*»$®£2fflS1£ffl*g*-r@-efe;5. 
[HI 0] *^wm20lirflfJ^-ri!TS^ o 

[gn 1] *«iaflDS2flDafflffli*3K-ria-??*5. 
[01 2] *affi<DS2flDaffiea*s-rH74s«. 

[013] I D-N l KSC^t^SIWT'S 

5, 

[ft*KD3Wffl 
1 -fe>r? 

11,21 £BB9££]$« 
1 2, .2 2 &££t£fi£Sg 

1 3 Bf^b» 

2 3 «^ 

3 0 SIPS 
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(I>7^f-f b) 
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( y) 




( bJ 




t v) 



a 6 US' w 



[01 0] 

Kij = Kji 

=189(mod27T3) 
=189(raod2773) 
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[07] 



*a& B2 0flN 




/1\ 


/ 0\ 








01 




°\ 
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0 
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0 




1 
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0 
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0 

.1 


f v 2 = 


0 
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0 
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,v 4 = 


0 
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0 
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0 




0 




1 
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1 




0 


lo 


10 




lo 




lo 




11/ 



,T V " 



83 r 3\. 
b 2 r 3 \ 
c, r 3 
c 2 r 3 

°3 r 3/ 

b it A 

m 

5+5+4+3+2=19 

mam 



P=47.Q=59 
N=2773.L=1 334 
g=2449. e=5 
r | =673 . rj =239 



/ 547 416 360 

' 416 359 303 

360 303 241 

309 252 194 

339 ZBO 224 

286 210 173 

396 341 288 

470 409 351 



309 339 288 396 470 ) 

252 280 210 341 409 1 

194 224 173 288 351 

139 173 120 234 178 

1 73 197 148 262 331 

1 20 148 101 210 275 

234 262 210 331 393 

178 331 275 393 457 



/ 390 \ 
340 • 
994 
292 
1054 
1314 
1086 



= 863 
=49 



,y[= 1721 



mi 340 ) ) J J =51 (mod 2773) 



/954\ 
206 
1266 
914 - 
B14 
454 
862 

v 72 ; 



Kjl = 



n 



. yj = 689 



Ifi 
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S1 [2J 
*i(3J 

^[S] 

=41) 

*<[2] 
r<[3j 

r,[S) 



/100QOOQOOOOQOQ01000 0\ 
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O1O00 
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O0OO1OO0OO000O0100OO 
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oooiooooooooo 
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[ISO 9] 

(a) P=47.Q=59 

N=2773,L=1 334 
s =2449,e=l 7 
r,=1l3,rj=327.r k =295 

/852 221 738\ 
T = I 221 253 846 
V 73a 846 785/ 

lb> *-(!) '^ = K') Ml) 



/87B\ _ / 256\ 



/652\ 



y, =2088. yj =1 689. y k = 



[@11] 

=1317(mod2773) 

K. l .t.-) , -r 

=1317(mod2773) 
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[HI 2] 



:753(mod2773) 



.2^652^52^1 26&^2Ba^1 2BB^2BBjl 2Bft^ 2flBjl 28Bjl 28^1 2flBjl 2B^Jl 288^78-^776 

753(mod2773) 



(SC 1 



ISAil tfiBll ISZI} 
i. 



I 1 

h ( ID a ) h(lDB) 



n"s"ziTi| } ifr-fr* 

h£IDz5 } ID** 



